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Abstract 

We consider the problem of securing a multicast network against a wiretapper that can intercept 
the packets on a limited number of arbitrary network edges of its choice. We assume that the network 
employs the network coding technique to simultaneously deliver the packets available at the source to 
all the receivers. We show that this problem can be looked at as a network generalization of the wiretap 
channel of type II introduced in a seminal paper by Ozarow and Wyner. In particular, we show that 
the transmitted information can be secured by using the Ozarow-Wyner approach of coset coding at 
the source on top of the existing network code. This way, we quickly and transparently recover some 
of the results available in the literature on secure network coding for wiretap networks. Moreover, we 
derive new bounds on the required alphabet size that are independent of the network size and devise an 
algorithm for the construction of secure network codes. We also look at the dual problem and analyze the 
amount of information that can be gained by the wiretapper as a function of the number of wiretapped 
edges. 

I. Introduction 

Consider a communication network represented as a directed graph G = (V, E) with unit 
capacity edges and an information source S that multicasts information to t receivers Ri , . . . , R t 
located at distinct nodes. Assume that the minimum size of a cut that separates the source and 
each receiver node is n. It is known that a multicast rate of n is achievable by using a linear 
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network coding scheme [2], [3]. In this paper, we focus on secure multicast connections in the 
presence of a wiretapper that can access data on a limited number of edges of its choice. Our 
primary goal is to design a network coding scheme that delivers data at maximum rate to all the 
destinations and does not reveal any information about the transmitted message to the wiretapper. 

The problem of making a linear network code information-theoretically secure in the presence 
of a wiretaper that can look at a bounded number, say /i, of network edges was first studied by 
Cai and Yeung in [4]. They considered directed graphs and constructed codes over an alphabet 
with at least ('^') elements which can support a secure multicast rate of up to n — /i. In [5], they 
proved that these codes use the minimum amount of randomness required to achieve the security 
constraint. However, the algorithm due to [4] has high computational complexity and requires 
a very large field size (exponential in the number of wiretapped edges). Feldman et al. derived 
trade-offs between security, code alphabet size, and multicast rate of secure linear network coding 
schemes in [6], by using ideas from secret sharing and abstracting the network topology. Another 
approach was taken by Jain in [7] who obtained security by merely exploiting the topology of 
the underlying network. Weakly secure network codes that insure that no meaningful information 
is revealed to the adversary were studied by Bhattad and Narayanan in [8]. 

A related line of work considers a more powerful Byzantine adversary that can also modify the 
packets on the edges it controls. Such an adversary can be potentially more harmful in networks 
that employ the network coding technique because a modification in one packet can propagate 
throughout the network and affect other packets as well. Secure network coding in the presence 
of a Byzantine adversary has been studied by Ho et al. in [9] and Jaggi et al. in [10], [11], [12]. 
In [11], [12], the authors devise distributed polynomial-time algorithms that are rate-optimal and 
achieve information theoretical security against several scenarios of adversarial attacks. 

The problem of error correction in networks was also studied by Cai and Yeung in [13], 
[14] where they generalized classical error-correction coding techniques to network settings. A 
different model for error correction was introduced by Koetter and Kschischang in [15] where 
communication is established by transmitting subspaces instead of vectors through the network. 
The use of rank- metric codes for error control under this model was investigated in [16]. The 
common approach in these works is to encode packets at the source, prior to sending them over 
the network, using an error correcting code so that the packets carry not only data but also 
some redundant information derived from the data which will help to reduce the probability of 
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incorrect decoding. 

We also consider the coding at the source technique to be a natural approach for addressing 
the information-theoretic security of wiretap networks. In a network where the min-cut value 
between the source and each receiver node is n and an adversary can access up to li edges of 
his choice, we introduce a coding at source scheme that ensures information-theoretic security 
based on the Ozarow-Wyner wiretap channel of type II, introduced in [17] and [18], where the 
source transmits n symbols to the receiver and an adversary can access any li of those symbols. 

Ozarow and Wyner showed that the maximum number of symbols (say k) that the source 
can communicate to the receiver securely in the information-theoretic sense is equal to n — li. 
They also showed how to encode the k source symbols into the n channel symbols for secure 
transmission. Clearly, if the n channel symbols are multicast over a network using a routing 
scheme, the k source symbols remain secure in the presence of an adversary with access to 
any li edges. We will illustrate later that this is not necessarily the case when network coding 
is used. However, we will show that a network code based on the Ozarow-Wyner scheme that 
preserves security of the k source symbols, which are coded into the n multicast symbols, can 
be designed over a sufficiently large field. 

Using the observations made by Feldman et al. in [6], we show that our scheme is equivalent 
to the one proposed in the pioneering work of Cai and Yeung in [4]. However, with our approach, 
we can quickly and transparently recover some of the results available in the literature on 
secure network coding for wiretapped networks. The algorithm due to [4] is based on the code 
construction proposed by Li et al. in [3], however more efficient network coding algorithms have 
been proposed recently (see, e.g., [19] and [20]). We use the results on the encoding complexity 
of the network coding presented in [20], [21], [22] to derive new bounds on the required field 
size of a secure network code that are independent of the number of edges in the network and 
that depend only on the number k of source symbols and the number t of destinations. We 
also propose an algorithm for construction of a secure network code that achieves these bounds. 
Furthermore, we look at the dual problem and analyze the security of a given Ozarow-Wyner 
code by studying the amount of information that can be gained by the wiretapper as a function 
of the number of wiretapped edges. 

Parts of the results presented in this paper were published in [1] and were later extended 
in [23], [24] by Silva and Kschischang to construct universal secure network codes based on 
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maximum rank-distance (MRD) codes, and by Mills et al. in [25] to achieve secrecy for wireless 
erasure networks. 

This paper is organized as follows: In Section HH we briefly review the Ozarow-Wyner wiretap 
channel of type II problem. In Section [Till we introduce the network generalization of this 
problem. In Section [TV] we present an algorithm for secure network code design and establish 
new bounds on the required code alphabet size. In Section |Vj we study the security of Ozarow- 
Wyner codes. In Section |VI] we highlight some connections of this work with other works on 
secure network coding and network error correction. Finally, we conclude in Section IVIII with 
a summary of our results and open problems. 

II. Wiretap Channel II 

We first consider a point-to-point scenario in which the source can transmit n symbols to the 
receiver and an adversary can access any [i of those symbols [17], [18]. For this case, we know 
that the maximum number of symbols that the source can communicate to the receiver securely 
in the information-theoretic sense is equal to n — fi. 

The problem is mathematically formulated as follows. Let S = (s±, s 2 , ■ ■ ■ , Sk) T be the random 
variable associated with the k information symbols that the source wishes to send securely, 
Y = (yi, y 2 , ■ ■ ■ , y n ) T the random variable associated with the symbols that are transmitted 
through the noiseless channel between the source and the receiver, and Z = (zi, z 2 , . . . , z fM ) T the 
random variable associated with the wiretapped symbolsof Y, When k < n — fi, there exists an 
encoding scheme that maps S into Y such that: 

1) The uncertainty about S is not reduced by the knowledge of Z (perfect secrecy condition), 
i.e., 

H(S\Z) = H(S), (1) 

and, 

2) The information S is completely determined (decodable) by the complete knowledge of 
Y, that is, 

H(S\Y) = 0. (2) 

For n = 2, k = 1, fx = 1, such a coding scheme can be constructed as follows. If the source 
bit equals 0, then either 00 or 11 is transmitted through the channel with equal probability. 
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Similarly, if the source bit equals 1, then either 01 or 10 is transmitted through the channel with 
equal probability: 



source bit Si 





1 


codeword y\y 2 chosen 
at random from 


{00,11} 


{01,10} 



It is easy to see that knowledge of either y\ or y 2 does not reduce the uncertainty about si, 
whereas the knowledge of both y t and y 2 is sufficient to completely determine si, namely, 

si = yi + V2- 

In general, k — n — [i symbols can be transmitted securely by a coding scheme based on an 
[n,n — k] linear maximal distance separable (MDS) code C C F™. In this scheme, the encoder 
is a probabilistic device which operates on the space F™ partitioned into q k cosets of C, where 
q is a large enough prime power. The k information symbols are taken as the syndrome which 
specifies a coset, and the transmitted word is chosen uniformly at random from the specified 
coset. The decoder recovers the information symbols by simply computing the syndrome of the 
received word. Because of the properties of MDS codes, knowledge of any /x = n — k or fewer 
symbols will leave the uncertainty of the k information symbols unchanged. The code used in 
the above example is the [2, 1] repetition code with the parity check matrix 



n 



i i 



(3) 



III. Wiretap Network II 

We now consider an acyclic multicast network G = (V, E) with unit capacity edges, an 
information source, t receivers, and the value of the min-cut to each receiver is equal to n. The 
goal is to maximize the multicast rate with the constraint of revealing no information about the 
multicast data to the adversary that can access data on any \l edges. We assume that the adversary 
knows the implemented network code, i.e. all the coefficients of the linear combinations that 
determine the packets on each edge. Moreover, we assume that there is no shared randomness 
between the source and the receivers. The latter assumption rules out the use of traditional "key" 
cryptography to achieve security. 

It can be seen that the wiretap channel of type II is equivalent to the simple unicast network 
of Figure Q] formed by n disjoint edges between the source and the destination, each carrying a 
different symbol. For this network, the source can multicast k < n — fi symbols securely if it 




Fig. 1. Network equivalent to the wiretap channel of type II. 



first applies a secure wiretap channel code (as described above) mapping k information symbols 
into n transmitted symbols (yi, . . . , y n ). 

For general networks, when security is not an issue, we know that a multicast rate n is possible 
with linear network coding [2], [3]. It is interesting to ask whether, using the same network code, 
the source can always multicast k < n — /i symbols securely using a wiretap channel code at 
the source. Naturally, this would be a solution if a multicast rate of n can be achieved just by 
routing. 

Example 1 (Butterfly Network): Consider this approach for the butterfly network shown in 
Figure [2] where we have n — 2, k — 1, \i — 1. If the source applies the coding scheme described 
in the previous section and the usual network code as in Figure Eta), the wiretapper will be 
able to learn the source symbol if it taps into any of the edges BE, EF or ED. Therefore, a 
network code can break down a secure wiretap channel code. However, if the network code is 
changed so that node B combines its inputs over, e.g., F 3 and the coding vector of edge BE is 
1 a where a is a primitive element of F 3 (i.e., the message sent on edge BE is x\ + ax 2 as 
in Figure 12b)), the wiretap channel code remains secure, that is, the adversary cannot gain any 
information by accessing any single edge in the network. Note that the wiretap channel code 



based on the MDS code with H 



1 1 



remains secure with any network code whose BE 



coding vector is linearly independent of 



1 1 



We will next show that the source can multicast k < n — [i symbols securely if it first applies 
a secure wiretap channel code based on an MDS code with a k x n parity check matrix H 
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Fig. 2. Single-edge wiretap butterfly network with a) insecure network code and b) secure network code. 



if the network code is such that no linear combination of /i = n — k or fewer coding vectors 
belongs to the space spanned by the rows of H. Let W C E denote the set of \W\ = fi edges 
the wiretapper chooses to observe, and Zw = (zi, z 2 , . . . , z^) T the random variable associated 
with the packets carried by the edges in W. Let Cw denote the matrix whose rows are the 
coding vectors associated with the observed edges in W. As in the case of the wiretap channel, 
S = (si, S2, • • • , Sk) T denotes the random variable associated with the k information symbols 
that the source wishes to send securely, and Y = (y%, y 2 , . . . , y n ) T the random variable associated 
with the n wiretap channel code symbols. The n symbols of Y will be multicast through the 
network by using linear network coding. Writing H(S, Y, Zw) in two different forms, and taking 



s 



into account the decodability condition of Equation ©, we get 

H{S\Z W ) + H(Y\SZ W ) = H(Y\Z W ) + H(S\YZ W ) . (4) 

=o 

Our objective is to conceal all the information data from the wiretapper. The perfect secrecy 
condition implies 

H(S\Z W ) = H(S),VW C E s.t. \W\ = /i. 

Thus we obtain, 



H{Y\SZ W ) = H{Y\Z W ) - H{S). 



This implies, in turn that 



n — rank(CV) — k > 0. 



(5) 



(6) 



Since there is a choice of edges such that rank(CV) 
transmission is bounded as 

k < n — /i. 



fi, the maximum rate for secure 



If the bound is achieved with equality, we have H(Y\SZw) = and consequently, the system 
of equations 

S~\ I n 

■Y 

has to have a unique solution for all W for which mnk(C w ) = [i. That is, 

n 



s 




n 






c w 



rank 



a 



w 



n for all Cw s.t. rank(Cv^) = /x. 



(7) 



This analysis proves the following result: 

Theorem 1: Let G = (V, E) be an acyclic multicast network with unit capacity edges and an 
information source such that the size of a minimum cut between the source and each receiver 
is equal to n. Then, a wiretap code at the source based on an MDS code with a k x n parity 
check matrix H and a network code such that no linear combination of fi = n — k or fewer 
coding vectors belongs to the space spanned by the rows of TC make the network information- 
theoretically secure against a wiretap adversary who can observe at most n < n — k edges. Any 
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adversary able to observe more than n — k edges will have uncertainty about the source smaller 
than k. 

Next, we give an application of the previous theorem to the family of combination networks 
illustrated in Figure [3] 




Fig. 3. Combination B(n,M) network. 



Example 2 (Combination Networks): A combination network B(n,M) is defined over a 3- 
partite graph comprising three layers. The first layer contains a single source node, the second 
layer M intermediate nodes and the last layer is formed by ( ) receiver nodes such that every 
set of n nodes of the second layer is observed by a receiver. 

The result of Theorem \T\ can be used to construct a secure network code for B(n, M) from 
an [M + k, M + k — n] MDS code which would achieve perfect secrecy against a wiretapper 
that can observe any [i = n — k edges in the network. Let H be an n x (M + k) parity check 
matrix of such MDS code over ¥ q . A secure network code can be obtained by taking the first 
k rows of H T to form the matrix of the coset code at the source, and the rest of the rows of 
H T to be the coding vectors of the M edges going out of the source. Equation © is satisfied 
since the considered code is MDS and, therefore, any n columns of H form a basis of F" For 
instance if M + k + 1 is equal to a prime power q, a secure network code can be derived based 
on an [M + k, M + k — n] Reed-Solomon code with the following Vandermonde parity check 
matrix 

r, _ a M+k-i ■ 

a 2(M+k-l) 



H 



a 



or 



1 a r 



a 



n(M+k-l) 



(8) 
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where a is a primitive element of ¥ q . Figure |4] depicts a secure network code for the network 
5(3, 4) and k = 2 using a [6,3] Reed-Solomon code over F 7 whose parity check matrix is given 
by Equation © for a = 3. 
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Fig. 4. A secure network code for the B(3, 4) combination network based on a [6,3] Reed-Solomon code over Fr. 

The above analysis shows that the maximum throughput can be achieved by applying a 
wiretap channel code at the source and then designing the network code while respecting certain 
constraints. The decoding of secure source symbols S is then merely a matrix multiplication of 
the decoded multicast symbols Y since HY = S. The method gives us a better insight of how 
much information the adversary gets if he can access more edges than the code is designed for. 
It also enables us to design secure network coding schemes over smaller alphabets. These two 
issues are discussed in detail in the next two sections. 

IV. Network Code Design Alphabet Size 

The approach described previously in the literature for finding a secure multicast network 
code consisted of decoupling the problem of designing a multicast network code and making it 
secure by using some code on top of it. Feldman et al. showed in [6] that there exist networks 
where the above construction might require a quite large field size. In this section, we present a 
different construction that exploits the topology of the network. This is accomplished by adding 
the security constraints to the Linear Information Flow (LIF) algorithm of [19] that constructs 
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linear multicast network codes in polynomial time in the number of edges in the graph. The 
result is a better lower bound on the sufficient field size. However, the modified LIF algorithm 
does not have a polynomial time complexity. 

We start by giving a brief high level overview of the LIF algorithm of [19]. The inputs of the 
algorithm are the network, the source node, the t receivers and the number n of packets that 
need to be multicast to all receivers. Assuming the min-cut between the source and any receiver 
is at least n, the algorithm outputs a linear network code that guaranties the delivery of the n 
packets to all the receivers. 

The algorithm starts by 1) finding t flows Fi, F 2 , . . . , F t of value n each, from the source to to 
each receiver and 2) defining t nx n matrices Bp. (one for each receiver) formed by the global 
encoding vectors of the n last visited edges in the flow Fj. Initially, each matrix Bp. is equal to 
the identity matrix /„. Then, the algorithm goes over the network edges, visiting each one in a 
topological order. In each iteration, the algorithm finds a suitable local encoding vector for the 
visited edge, and updates all of the t matrices Bp.. The algorithm maintains the invariant that 
the matrices Bp remain invertible after each iteration. Thus, when it terminates, each receiver 
will get n linear combinations of the original packets that form a full rank system. Thus each 
destination can solve for these packets by inverting the corresponding matrix. 

The analysis of the algorithm due to [19] implies that a field of size at least t (the number of 
destinations) is sufficient for finding the desired network code. In particular, as shown in [19, 
Lemma 8], a field of size larger or equal to t is sufficient for satisfying the condition that the t 
matrices Bp are always invertible. 

To construct a secure network code, we modify the LIF algorithm in the following way. We 
select a k x n parity check matrix TC. Without loss of generality, we assume that the // packets 
observed by the wiretapper are linearly independent, i.e., rank Cw = A*- We denote by the 
edge visited at the i-th iteration of the LIF algorithm, and by P, the set of the edges that have 
been processed by the end of it. Then, we extend the set of invariants to guaranty that the 

r w i 

encoding vectors are chosen so that the matrices Mw = are also invertible; which, by 

[Cw_ 

Theorem [H achieves the security condition. More precisely, using the same techniques as the 
original LIF algorithm, we make sure that by the end of the i-th iteration, the matrices Bp. and 
the matrices are invertible; where W{ = {e^} U W and W is a subset of Pj containing 
fi — 1 = n — k — 1 edges. The total number of matrices that need to be kept invertible in this 
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modified version of the LIF algorithm is at most ('^1/) + 1. Thus, similarly as in [19, Lemma 



8], we obtain the following improved bound on the alphabet size for secure multicast: 

Theorem 2: Let G = (V, E) be an acyclic network with unit capacity edges and an information 
source such that the min-cut value to each of the t receivers is equal to n. A secure multicast at 
rate k < n — [i in the presence of a wiretapper who can observe at most fi < n edges is possible 
over the alphabet ¥ q of size 



The bound given by Equation © can be further improved by realizing as was first done in 
[20] that not all edges in the network carry different linear combination of the source symbols. 
Langberg et al. showed in [21] that the number of encoding edges in a minimal acyclic multicast 
network is bounded by 2nH 2 . Encoding edges create new packets by combining the packets 
received over the incoming edges of their tail nodes. A minimal multicast network does not 
contain redundant edges, i.e., edges that can be removed from the network without violating its 
optimality. Reference [22] presents an efficient algorithm for construction of a minimal acyclic 
network G from the original network G. This work also shows that a feasible network code for 
a minimal network can be used for the original network as well with only slight modifications. 

The main idea of our scheme is to find a secure network code for the minimal network G, 
and then use the procedure described in [22] to construct a network code for original network 
G which will also be secure. Now consider the problem of finding secure network codes for G. 
This problem will not change if the wiretapper is not allowed to wiretap the forwarding edges, 
i.e., the edges that just forward packets received by their tail nodes. Therefore, the set of edges 
that the wiretapper might have access to consists of the encoding edges and the edges outgoing 
from the source. The number of such edges is bounded by 2n 3 t 2 . Now, applying Theorem [2] on 
G and taking into consideration the restriction on the edges that can be potentially wiretapped, 
we obtain the following bound on the sufficient field size which is independent of the size of 
the network. 

Corollary 1: For the transmission scenario of Theorem [2l a secure mulitcast network code 
always exists over the alphabet ¥ q of size 




(9) 




(10) 
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For networks with two sources, we can completely settle the question on the required alphabet 
size for a secure network code. Note that the adversary has to be limited to observing at most 
one edge of his choice. Based on the work of Fragouli and Soljanin in [20], the coding problem 
for these networks is equivalent to a vertex coloring problem of some specially designed graphs, 
where the colors correspond to the points on the projective line PG(1, q): 

[01], [10], and [la 1 ] for < i < q-2, (11) 

where a is a primitive element of ¥ q . Clearly, any network with two sources and arbitrary number 
of receives can be securely coded by reducing the set of available colors in (fTT|) by removing 
point (color) [1 1] and applying a wiretap code based on the matrix TC = [1 1] as in the example 
above. Alphabet size sufficient to securely code all network with two sources also follows from 
[20]: 

Theorem 3: For any configuration with two sources t receivers, the code alphabet ¥ q of size 

[y/2t - 7/4 + 1/2J +1 
is sufficient for a secure network code. There exist configurations for which it is necessary. 

V. Wiretapper Equivocation 

In this section, we analyze the performance of coset codes in the case of a wiretapper with 
variable strength, i.e., the number /i of edges he can observe is not fixed. For a given coset code, 
we seek to quantify the amount of information that is leaked to the wiretapper as a function of 
//. 

Assume that at the source s of a multicast network a coset code defined by a k x n parity 
check matrix TC is used as described in the previous section. The equivocation A(/i) of the 
wiretapper, i.e., the uncertainty it has about the information source vector S = (si, . . . , Sk) T , is 
defined, as in [18], based on the worst case scenario, by 

A(//) := mm H{S\Z W ), (12) 

WcE;\W\=n 

where Zw = ■ ■ ■ , z^) T is the random variable representing the observed packets on the 
set W C E of wiretapped edges. We have Z w = C^Y where Cw is an /i x n matrix, and 
Y = (yx, . . . ,y n ) T is the output of the coset code at the source. It can be seen that A(/x) can 
be written as: 
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A(fx) = min H(S\Z W ). 

WcE;\W\=n 
mnk(Cw)=t 1 



(13) 



Therefore, we will assume from now on without loss of generality that W is such that 
rank(CV) = fx. For a given choice of such W, let C w be the parity check matrix of the [n, fx] 
code generated by Cw- Let /„ be the n x n identity matrix. Define J n !jU to be the n x (n — fx) 
matrix where the first fx rows are all zeros and the last n — fx rows form J n _ M . Theorem 0] below 
gives the expression of A(/i) which depends on the network code and the coset code used. 

Theorem 4: 

Cw 



Proof: 
First let Aw 



w 



w 



A(u) = min rank(7^ 

WcE;\W\=fi 
rank(Cw)=t 1 



By Equation ([4]), we have 



C 



w 



J, 



(14) 



H(S\Z 



w ) 



H{Y\Z W )-H{Y\SZ W ) 
rank(CV) — (n — rank 



n 



H 

Cw 



rank( 



rank( 



Ti 

Cw 



Aw) 



rank(CV) 



(15) 



rank(Ci 



w , 



CwA^ 

= dim((^ 1 )) + dim((C w A^)) 
- dxm{{HA^) n (CwA^)) - rank(CV) 
= k-dim((HA w 1 )n(J' n J), 
where (■) denotes the row space of a matrix and J' is the fx x n matrix where the first fx 
columns form 1^ and the last n — fx columns are all zeros. Note that dim^HA^) H (J' n u)) is 
exactly k minus the rank of the last n — fx column vectors of HA^- ■ 

A relevant concept to our work here is that of the generalized Hamming weights di(C), . . . , dk(C) 
of a linear code C which was introduced by Wei in [26] and that characterize the performance 
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of coset codes over the classical wiretap channel of type II. The generalized Hamming weights 
were extended to the wiretap networks setting in [27]. Given a certain network with an asso- 
ciated network and coset codes, Theorem |4] provides an equivalent expression of the network 
formulation of the r-th generalized Hamming weight d r as the minimum number of edges that 
should be wiretapped to leak r symbols to the wiretapper. Then, we can write 



d r := min{/i; A(/i) = k — r} 
:= minju; min rank 

WCE;\W\=H 
rank(CV)=Ai 

Next, we focus on three special cases. First, we revisit the model of the wiretap channel of 
type II of [17]. Second, we consider the case where the wiretapper may gain access to more 
edges than what the secure code is designed to combat. Third, we study the scenario where only 
a part of the network edges are vulnerable to wiretapping. 



w 



w 



Jn 



4i J 



k — r}. 



(16) 



A. Wiretap Channel of Type II 

Consider again the wiretap channel of type II studied in [17]. Theorem @] can be used to easily 
recover the following classical result for this channel. 

Corollary 2: The equivocation rate of the wiretapper in the wiretap channel of type II is given 

by 

A(u) = min rank-T^ji E U\, (17) 

UC{l,2,...,n} 
\U\=n—fi 

where Hi denote the ith column of the parity check matrix H. 

Proof: The wiretap channel of type II is equivalent to the network depicted in Figure [Q 
Assume that the edges between the source and the destination are indexed from 1 to n, so that 
E = {1, . . . , n}. For any W C {1, . . . , n}, define I w to be the matrix formed by the rows of 
the n x n identity matrix indexed by the elements of W in an increasing order. Since edge i 
carries the packet yi, for a given set W C E of wiretapped edges, C w = I w and = Ijj, 



where U — {1, . . . , n} \ W. Therefore, 

lu 

HAjy are exactly the columns of H indexed by U 



i -l 

Iw 



Ajy, and the last n — p columns of 
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B. Underestimated Wiretapper 

Suppose the coset code defined by the k x n parity check matrix H satisfies Theorem \T\ 
and achieves perfect secrecy against a wiretapper that can observe A edges. If, however, the 
wiretapper can access p edges, where p > A, then the amount of information leaked to the 
wiretapper can be shown to be equal to p — A, i.e., the number of additional wiretapped edges. 

Corollary 3: For the case of an underestimated wiretapper, the equivocation of the wiretapper 
is given by: 

A(//) = k - (p - A). 

Proof: Since the coset code achieves perfect secrecy for A wiretapped edges, by Theorem [Q 
we have k = n — A and H(S\YZ W ) = 0. Thus, Equation © gives 

H{S\Z W ) = H(Y\Z W ) = n- rank(CV) = k + A - rank(CV). 

The minimum value of H(S\Z W ) is obtained when Cw has maximal rank, i.e, when rank(CV) = 

■ 

C. Restricted Wiretapper 

In practice, for instance in large networks, the wiretapper may not have access to all the 
network edges, and his choice of p edges is limited to a certain edge subset E' C E. For this 
model, the equivocation rate of the wiretapper is determined by Equation [14] where E is replaced 
by E' . An interesting case arises, however, when the edges in E' belong to a cut of n edges 
between the source and one of the receivers. In this case, the performance of the coset code is 
the same as when it is used for a wiretap channel of type II. 

Corollary 4: In the case of a restricted wiretapper that can observe any p edges in a cut 
between the source and one of the destinations, the equivocation rate of the wiretapper is given 
by Equation (fT71) . 

Proof: Assume the edges that are vulnerable to wiretapping are indexed from 1 to n, 
so that E' = {1, . . . , n}. Let Ze* = (zi, . . ., z n ) T denote the packets carried by those edges, 
such that edge i carries packet z^. We can write Z E < = Ce'Y, where Ce 1 is an n x n matrix. 
Since the cut comprises n edges, the matrix Ce' is invertible; otherwise, by the properties of 
linear network codes, the destination corresponding to the considered cut cannot decode Y. For 
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Fig. 5. A coding scheme achieving perfect secrecy against a limited Byzantine wiretapper. 



a choice W C E' of wiretapped edges, we have Z w = C W Y, where C w = I W C E <- Moreover, 
C w = I W C E >, where W = E'\W. Therefore, 



n 



-i -i 



H{C L 



Iw 
I- 



w 



1 = 7~LC ' E , 



-i t 



Iw 



Similar to the proof of Corollary [2l the last n — /x columns of HA 1 
columns of HA^ 1 indexed by U . So, by Theorem 0] we have 



-i T 



Iw 

I 



w 



are exactly the 



A(/x) = min rank{{H A' 1 ) i;i e U} 

Yu\=n-'fJ, 

= min rank\Hi] i E U\ . 

UC{l,2,...,n] 
\U\=n-ti 



Note that the previous result still holds for any subset E' of possible wiretapped edges such that 
Ce> is invertible. For this scenario, the equivocation rate of the wiretapper can be alternatively 
given by the generalized Hamming weights [26] di(C), . . . , d k (C) of the linear code C generated 
by H. In this case, for a given //, A(/i) is the unique solution to the following inequalities [26, 
Cor. A]: 



dn-n-AQj)^)) <n — fl< d rl _ /i _A( M )+l(C). 



VI. Connections with Other Schemes 

In this section, we explore the relationship between the proposed scheme and previously known 
constructions [4], [28], [29], [23]. 
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A. Secure Network Coding and Filtered Secret Sharing 

Cai and Yeung were first to study the design of secure network codes for multicast demands 
[4]. They showed that, in the setting described above, a secure network code can be found for 
any k < n — /x. Their construction is equivalent to the following scheme: 

1) Generate a vector R = (r 1 , r 2 , . . . , r^) T choosing its components uniformly at random 
over F q , 

2) Form vector X by concatenating the \i random symbols R to the k source symbols S: 

= (s 1 ,...,s k ,r 1 ,...,r IJ ,) T 

3) Chose an invertible n x n matrix T over F q and a feasible multicast network code [3] to 
ensure the security condition (OQ). (It is shown in [4, Thm. 1] that such code and matrix T 
can be found provided that q > 

4) Compute Y = TX and multicast Y to all the destinations by using the constructed code. 
Feldman et al. considered also the same problem in [6]. Adopting the same approach of 

[4], they showed that in order for the code to be secure, the matrix T should satisfy certain 
conditions ([6, Thm. 6]). In particular, they showed that in the above transmission scheme, the 
security condition (OQ) holds if and only if any set of vectors consisting of 

1) at most [i linearly independent edge coding vectors and/or 

2) any number of vectors from the first k rows of T _1 

is linearly independent. They also showed that if one sacrifices in the number of information 
packets, that is, take k < n — /i, then it is possible to find secure network codes over fields of 
size much smaller than the very large bound q > 

We will now show that our approach based on coding for the wiretap channel at the source 
is equivalent to the above stated scheme [4] with the conditions of [6]. 

Proposition 1: For any n x n matrix T satisfying the security conditions defined above, the 
kxn matrix H = T* formed by taking the first k rows of T -1 satisfy the condition of Theoremd] 

Proof: Consider the secure multicast scheme of [4] as presented above. For a given 
information vector S G F£, let B(S) be the set of all possible vectors Y E F™ that could 



X 
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be multicast through the network under this scheme. More precisely, 

'3 



B(S) = {FG F"|F = TX,X 



R 



ReF 



n—k 



Then, for all Y E B(S), we have T*Y = T*T 



S. Therefore, any Y 6 B(S) also belongs 



to the coset of the space spanned by the rows of T* whose syndrome is equal to S. Moreover, 
since T is invertible, l-E^S 1 )] = implying that set B(S) is exactly that coset. The conditions 
of [6] as stated above directly translate into (fT8l) . the remaining condition of Theorem [IJ ■ 



B. Universal Secure Network Codes 

For practical implementations of linear multicast network codes over F 9 , the information 
sources are typically packets of a certain length m, i.e., si, . . . , are vectors in F™. Applying 
the approach presented in the preliminary version of this paper [1], Silva and Kschischang 
devised in [23] a scheme that achieves a complete decoupling between the secure code and the 
network code design. Their scheme is universal in the sense that it achieves secrecy by applying 
a coset code at source with no knowledge of the network code used. The main idea is to use 
a special class of MDS codes called maximal rank-distance codes (MRD) which are non-linear 
over ¥ q but linear over the extension field ¥ q m. The parity check matrix of an MRD code over 
F 9 m, has the interesting property that it always satisfies the condition of Theorem \T\ when the 
edge coding vectors are over ¥ q , as stated in the theorem below. 

Lemma 1: [23, Lemma 3] Let H be the parity check matrix of an [n, n — k] linear MRD code 

over ¥ q m. For any full rank (n — k) X n matrix B over ¥ q , the n x n matrix 

Therefore, MRD codes will always achieve perfect secrecy irrespective of the network code 
used. The choice of the MRD code will only depend on the underlying field ¥ q of the network 
code. 



U 

is invertible. 

B ' 



C. Byzantine Adversaries 

The malicious activity of the wiretapper in the model considered in this paper was restricted to 
eavesdropping. A more powerful wiretapper, with jamming capabilities, may not only listen to the 
data in the network but also alter it. This may lead to flooding the whole network with erroneous 
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packets. Schemes to combat such wiretappers, known in literature as Byzantine adversaries, were 
studied in [12], [15], [16] and the references within. 

Consider a scenario where the wiretapper can not only observe fx edges but also jam a edges 
of his choice that are unknown to the destinations. In this case, we will describe a coding 
scheme that achieves a multicast rate of k = n — 2a — fx and guaranties that the information will 
remain hidden from the wiretapper. This can be achieved by using a coset code as described in 
Section Un] followed by a powerful network error-correcting code [13], [14]. First, we recall an 
important result in [14, Theorem 4] 

Theorem 5: For an acyclic network G(V, E) with min-cut n, there exists a linear a-error- 
correcting code of dimension [n — 2a) over a sufficiently large field. 

Let Q be the generator matrix of a linear a -error-correcting code of dimension (n — 2a) whose 
existence is guaranteed by the previous theorem, and Let Q 1 - be its parity check matrix. A block 
diagram of the coding scheme that achieves secrecy against a Byzantine wiretapper at a rate 
k = n — 2a — fx is depicted in Figure \5\ First, the information S = (s±, . . . , Sk) T is encoded 
using a coset code of parity check matrix H into the vector T = (ti, . . . , t m ) T , with m = k + fx. 
The vector T is then encoded into Y — (y 1 , . . . , y n ) T = QT using the network error-correcting 
code. To achieve perfect secrecy, H should satisfy the condition of Theorem [Q which can be 
expressed here as: 

r H 

CwG 

We assume that the code is over a field large enough to guaranty the existence of the network 
error-correcting code and the matrix H satisfying the above condition as well. At each destination, 
a decoder corrects the errors introduced by the wiretapper and recovers T. The information S is 
then obtained as the unique solution of the system HS = T. It was recently shown in [30] that 
the rate k = n — 2a — ii is optimal and another construction for codes with the same properties 
was presented there. 

VII. Conclusion 

We considered the problem of securing a multicast network implementing network coding 
against a wiretapper capable of observing a limited number of edges of his choice, as defined 
initially by Cai and Yeung. We showed that the problem can be formulated as a generalization 



rank 



k + ii for all C w s.t. rank(CV) = /i. (18) 
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of the wiretap channel of type II which was introduced and studied by Ozarow and Wyner, and 
decomposed into two sub-problems: the first one consists of designing a secure wiretap channel 
code, or a coset code, and the second consists of designing a network code satisfying some 
additional constraints. We proved there is no penalty to pay by adopting this separation, which 
we find in many ways illuminative. Moreover, this approach allowed us to derive new bounds on 
the required alphabet size for secure codes. These new bounds differ from those in the literature 
in that they are independent from the network size and are functions of only the number of 
information symbols and that of destinations. We also analyzed the performance of the proposed 
coset codes under various wiretapper scenarios. 

A number of interesting questions related to this problem remain open. For instance, the 
bounds presented here on the code alphabet size can be large in certain cases and it is worthy to 
investigate whether tighter bounds exist. Another issue which was not addressed in this paper is 
that of designing efficient decoding algorithms at the destinations which can be very important 
in practical implementations. Also, the work of [23] hinted at some advantages of non-linear 
codes. The benefits of nonlinearity in security applications, whether at the source code or at the 
network code level, are still to be better understood. 
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